I love how every time there is a new fingerprint reader out, the manufacturer claims that "This one won't be defeated by a simple printer! We now analyze below the skin and measure heartbeats and check your blood's personality before unlocking!"

Then it is defeated by the guy with the fingerprint kit and printer again. Every time.

I literally said to myself "I've heard that before" when Tim Cook talked about the fingerprint reader during the liveblog.

That said, Apple's message has shifted from "it's security" to "it convinces more people to turn on the basic security features of their phone", which I guess is true but probably could have been achieved by simply having them enabled by default and have you set a pin when you first setup your phone.

I wasn't really surprised I guess. These things are there for a convenient way to keep casual folks from poking around on your device. Same as Android's face unlock. You can use these kinds of things to keep your friend from posting dumb shit on your Facebook page when you aren't looking but they're no substitute for more robust security measures.

These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...

On the other hand, today's smartphones contain a great amount of personal data where many would say that even a four-digit [PIN] is also insufficient.

He's right about that.

A 4 digit pin absolutely is not good enough. It's far too easy to crack (it takes minutes), and once cracked you have access to the owner's email account which allows access to their entire digital life.

Purchases on the App Store are much less of an issue, since Apple has a good refund policy. The real danger is someone stealing your phone and then stealing your identity.

These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...

You had me agreeing with you until you said "it also requires the attackers obtain your fingerprint." -- Your phone has your fingerprints all over it. It only requires that the attacker has possession of your phone.

I think watching the video, rather than making this attack look "trivial", makes it clear that this is *not* something that will be casually used to defeat Touch ID. Sure, the scanning and printing of the high contrast inverted print is something that most technically proficient people would be able to do, but the other steps clearly required specialized equipment (even if the process of UV etching etc, is conceptually simple).

There is also the issue of knowing that the print you lift is one that will unlock the phone. You are potentially left scanning and laboriously creating multiple fake prints to find one that is actually registered on the phone... to break into something formerly protected by a simple 4 digit pin (few users use the alphanumeric option).

These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...

Well, they would likely get the fingerprints from your phone. Why do you assume the fingerprint is more valuable than the phone?

These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...

You had me agreeing with you until you said "it also requires the attackers obtain your fingerprint." -- Your phone has your fingerprints all over it. It only requires that the attacker has possession of your phone.

actually, they don't need your phone to get the fingerprint... anything you touched that has your fingerprints on it and the print can hold "fingerprint powder" would work. Get a toner cartridge from a photocopy machine, get some of the toner from it, mix in a small amount of some very finely crushed graphite (use standard lock graphite and just grind it up a little more) and you have a good fingerprint powder. Spread a little on a fingerprint on something the target touched and take a picture, feed it into some photo software and remove the background and any color except for the black "powder", adjust the color scale a little to make the black "powder" print stand out, then do the rest of what's in the video after the phone scan part. You end up with the same thing. That's how a person in a case of ours managed to bypass a biometric fingerprint scanner lock at a residence.

My impression is that this guy took down the iPhone sensor just for giggles (and because the fanboys trotted out a rather hysterical line of nonsense about how this time fingerprint reading was totally going to be insanely secure and stuff; but that his real concern is what would happen if something as shoddy (and hard to change) as fingerprints were adopted on a wider scale and for more purposes (think back to when the Chaos Computer Club shot down a politician who was looking to push biometrics by lifting his prints and distributing thousands of copies).

Is somebody going to lift your prints just to get into your phone? Maybe if you are important, or if that divorce is getting really bitter; but those cases aren't wildly common, and it's not as though the PIN you haven't set is any stronger. Would somebody lift your prints if some actually-important function were tied to biometrics (eg. bank accounts, opening a new CC, some national ID document, etc.)? Oh hell yeah. Low risk, not difficult, and a set of prints from a 'desirable' person could easily be worth real money, to somebody who needs to biometrically prove ID and isn't so keen to be themselves at that time. Grabbing prints in the hopes of getting those of somebody useful would probably be like planting skimmers on ATMs or building botnets: worth doing opportunistically, even with mediocre success rates, because the risks are low and the rewards are sometimes high.

the conspiracist in me says that Apple worked with NSA to device a plan to make iPhone as easy to unlock as possible by disguising it as some "advanced biometric lock"

regular joe: oh it's so cooooool! it uses finger prints! and easy too!NSA: oht it's so cooool! we could just lift the print or force the dude to press the button. No more waterboarding to get them to spit out the password!

This is much more trouble than just swiping the lock . I guess that is the idea behind the fingerprint reader. The system is secure in the sense that you still need physical access to the device, the finger data is protected against remote access.( I wonder if this makes sense at all LOL)

this is so silly. Of course a silicone based, printer copy of a fingerprint will be able to replicate the original. LETS BE HONEST here people, i'm not trying to hide my fingerprint, its simply a deterrent to the average friend or peer.

I guess the real security on a smartphone is the ability to remotely disable/wipe your phone when you realize it's not in your possession. If someone has enough time with your device, fingerprints and 4 digit pins just don't cut it, and as the hacker admits, stronger passwords would be a pain on a frequently locked and unlocked device.

At first, I thought that a "smartwatch" was a redundant and pointless piece of hardware, but imagine pairing your smartwatch to your devices, and when they are in close proximity to the watch, security requirements can be reduced. If the watch is not actively paired (meaning you are not in proximity to the other device), you must use a higher security method (long password or 2 stage security) to access the device. This could be used on phones, tablets and PCs. It could actually help solve the security versus convenience issue.

These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...

You had me agreeing with you until you said "it also requires the attackers obtain your fingerprint." -- Your phone has your fingerprints all over it. It only requires that the attacker has possession of your phone.

actually, they don't need your phone to get the fingerprint... anything that you touched that has your fingerprints on it and if the print can hold "fingerprint powder" would work. Get a toner cartridge from a photocopy machine, get some of the toner from it, mix in a small amount of some very finely crushed graphite (use standard lock graphite and just grind it up a little more) and you have a good fingerprint powder. Spread a little on a fingerprint on something the target touched and take a picture, feed it into some photo software and remove the background, then do the rest of what's in the video after the phone scan part. You end up with the same thing. That's how a person in a case of ours managed to bypass a biometric fingerprint scanner lock at a residence.

They do need your phone. What good is a fingerprint, with no fingerprint reader to bypass? You're right that your fingerprint can be lifted elsewhere, but for the purposes of this discussion, they need to be in physical possession of your phone anyway.

Provided I know which part of which finger, have the phone, a computer, a scanner, a PCB etching kit, a decent print, a decent amount of time, and the phone's owner doesn't know.

Either I don't know what trivial means, or he doesn't.

Perhaps trivial in this context is referring to someone that practices in the art.

For example, I think the concept of generics and lambdas to be trivial, but I'm pretty sure if I explained it to some of my non-engineering friends, they wouldn't have the foggiest clue what I'm talking about.

this is so silly. Of course a silicone based, printer copy of a fingerprint will be able to replicate the original. LETS BE HONEST here people, i'm not trying to hide my fingerprint, its simply a deterrent to the average friend or peer.

The biggest point he was making is that its more for convenience not security. I think when they said security he thought BS and called them on it. Yes his technique was is a bit more complex than most might think but I'd be willing to bet the other researchers that are trying to play his technique down are just mad they didn't think of idea that simple first. Essentially he got his own fingerprint of his phone and made a rubber 3 dimensional version of it. This required no coding and a handful of things that all can probably be purchased off of amazon for $200 or less or the parts purchased and assembled (minus the apple products, and printers)

edit: grammar and add second thoughtSecond thought: the average person hasn't made a PCB that they flashed and etched either...i have once when making a guitar pedal PCB. The supplies was all stuff i found at radioshack for relatively cheap

These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...

You had me agreeing with you until you said "it also requires the attackers obtain your fingerprint." -- Your phone has your fingerprints all over it. It only requires that the attacker has possession of your phone.

actually, they don't need your phone to get the fingerprint... anything that you touched that has your fingerprints on it and if the print can hold "fingerprint powder" would work. Get a toner cartridge from a photocopy machine, get some of the toner from it, mix in a small amount of some very finely crushed graphite (use standard lock graphite and just grind it up a little more) and you have a good fingerprint powder. Spread a little on a fingerprint on something the target touched and take a picture, feed it into some photo software and remove the background, then do the rest of what's in the video after the phone scan part. You end up with the same thing. That's how a person in a case of ours managed to bypass a biometric fingerprint scanner lock at a residence.

They do need your phone. What good is a fingerprint, with no fingerprint reader to bypass? You're right that your fingerprint can be lifted elsewhere, but for the purposes of this discussion, they need to be in physical possession of your phone anyway.

Well of course they need the phone to bypass it but they don't need the phone to get a usable print, that was pretty obvious and didn't think I needed to say that but if you need every little step and word; They can get a print previous to taking the phone and have it ready to go.

Provided I know which part of which finger, have the phone, a computer, a scanner, a PCB etching kit, a decent print, a decent amount of time, and the phone's owner doesn't know.

Either I don't know what trivial means, or he doesn't.

You don't.

Assuming access to the supplies - and it's not unreasonable stuff to have around, the required PCB etching materials can be picked up at any Radio Shack - the whole thing could be done start to finish in roughly an hour. Maybe less.

Obtaining the phone would be the most difficult part. After that, it's cake.

The obvious solution is to use a biometric print which you don't leave all over the place, and this explains the interest in using nipples and the like.

I don't want to live in a future of everyone rubbing their phones to their nipples.

My gut reaction to fingerprint scanners was "noooooooooooooo!" because basically they're a terrible form of security. It seems Apple's position is "it's less terrible and more convenient than a 4 digit pin", which is fairly true. It's this reason that if I want to use an iPhone to hook into work email, I have to use a proper password and have encryption involved.

I love how every time there is a new fingerprint reader out, the manufacturer claims that "This one won't be defeated by a simple printer! We now analyze below the skin and measure heartbeats and check your blood's personality before unlocking!"

Then it is defeated by the guy with the fingerprint kit and printer again. Every time.

I literally said to myself "I've heard that before" when Tim Cook talked about the fingerprint reader during the liveblog.

That said, Apple's message has shifted from "it's security" to "it convinces more people to turn on the basic security features of their phone", which I guess is true but probably could have been achieved by simply having them enabled by default and have you set a pin when you first setup your phone.

I don't recall Apple making the claims you claim they made. They've said it was more secure than no pass code, indicated the low chance of false positives (unlocking with a different print) and explained how it worked (sub-epidermal scanning). I don't recall them indicating how difficult it was to defeat through creating a copy of the fingerprint, nor would I expect them to.

Even the guy that bypassed the system didn't think Apple was lying about how their sensor worked:

Quote:

I wasn't actually able to find sufficient details on how the sensor works. I do assume they use sub-epidermal scanning. However, the scanned tissue is too similar to the upper layers of the skin. The most likely issue is the arbitrary threshold that Apple chose. They had to ensure that their setting works reliably, i.e. it shouldn't need to scan his finger twice because the sensor rejected the first attempt. Put simply, they chose usability and convenience over security. Hence, the fingerprint sensor can always be defeated as long as the materials used for the fake are sufficiently close to the characteristics of human tissue, and as long the scan of a high-resolution fingerprint is available.

Provided I know which part of which finger, have the phone, a computer, a scanner, a PCB etching kit, a decent print, a decent amount of time, and the phone's owner doesn't know.

Either I don't know what trivial means, or he doesn't.

Perhaps trivial in this context is referring to someone that practices in the art.

For example, I think the concept of generics and lambdas to be trivial, but I'm pretty sure if I explained it to some of my non-engineering friends, they wouldn't have the foggiest clue what I'm talking about.

It wasn't trivial because he practices the art. It was trivial because he practices the art and had total control over the process. Same reason programmers shouldn't be the last person to test code they themselves wrote.

Get back to me when he's able to take a phone hasn't been in control of, and get by using a fingerprint he hasn't himself set. Then I'll concede to the triviality of this "hack"

The best use I can think of, security-wise, for this is to reduce password inputs. I think someone mentioned the idea in a previous Ars article.

You type your password in, and for the next hour (or whatever period of time) you can access it via fingerprint. Each successful login resets the counter to another hour.

Users could probably go all day and enter a password once. But it seems that given current technology it's unlikely someone could steal the phone, get to a location with the appropriate equipment, and create a good fingerprint within that window.

I don't care what one hacker or another claims. If Ars wants to show that defeating the Apple fingerprint sensor with a stolen iPhone 5S is feasible, then Ars should set up its own test. - In my experience stolen iPhones are taken in public places when the owner mistakenly leaves the phone.The thief knows nothing about the owner at first. The thief only has the phone and then leaves with just the phone very quickly.

Considering that typical theft situation, here is how a fair test of the sensor should be done imo. 1. Get an iPhone 5S that has been in regular use with the ususal abundance of fingerprint smudges.2. The iPhone 5S should have been set up for fingerprint unlocking. 3. The Ars team must get its fingerprints from the iPhone 5S without knowing which finger was used. 4. As soon as the Ars test team gets the iPhone 5S then the clock begins. * The Ars team will only have 48 hours to defeat the fingerprint sensor. - Because in 48 hours the iPhone will switch to the passcode to be unlocked.4. In the 48 hours the Ars team must defeat the sensor.

Simple. Otherwise all of these comments about the sensor being easy to fool WITH A STOLEN IPHONE 5S is hearsay. - Why? Because in the CCC video a fingerprint copy could have been made days before the CCC video was done. - A major part of the difficulty in fooling the iPhone 5S sensor WITH A STOLEN PHONE is that typically at first the fingerprint used to unlock it is unknown. That was not shown in the CCC video. In the CCC video, the tester used his own fingerprint to unlock the phone.

* Again my suggestion, Ars do your own test and set up the conditions as if the phone was stolen.